Cisco Bug: CSCvv35565 - L3 ECMP load balancing not working as expected for fragmented packets.
Oct 08, 2020
- Cisco Catalyst 3850 Series Switches
Known Affected Releases
Symptom: Fragments of the same packet might be hashed differently depending on the tuple. By default we use the following parameters for load-balancing: src ip, dest ip, source port, dest port and L4 protocol. When the packet is fragmented the 5-tuples are being used for the hash of the 1st fragment only, however, the rest of the fragments do not have all 5-tuples (only src ip, dest ip, and L4 protocol) which is causing the hash calculation to give them a different path. This can happen with packets generated by the switch or with routed packets passing through the switch. Conditions: This was observed on a L3 ECMP dual ISP scenario. Specifically for fragmented EAP-TLS radius packets, ECMP hashes the fragments differently causing the fragments to reach the remote ISE server out of order and the authentication to timeout.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases